fix: enable delete_branch_on_merge and add settings enforcement script

[don-petry]

Summary

• Applies delete_branch_on_merge: true directly to the repository via GitHub API to resolve the compliance finding
• Adds .github/scripts/apply-repo-settings.sh — an idempotent script that enforces all required repository settings from the org standard

Settings enforced by the script

Setting	Value
delete_branch_on_merge	true
allow_auto_merge	true
allow_squash_merge	true
allow_merge_commit	true
allow_rebase_merge	true
has_issues	true
has_wiki	false
squash_merge_commit_title	PR_TITLE
squash_merge_commit_message	COMMIT_MESSAGES

Test plan

• delete_branch_on_merge: true confirmed via gh api repos/petry-projects/markets --jq .delete_branch_on_merge
• Run .github/scripts/apply-repo-settings.sh with an admin token to verify idempotency
• Confirm next compliance audit closes issue Compliance: delete_branch_on_merge #90

Closes #90

Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@github-actions[bot] has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 44 minutes and 8 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 44 minutes and 8 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5e3c1d9d-1843-4823-9a93-521609c8b651

📥 Commits

Reviewing files that changed from the base of the PR and between bca8483 and 97a3001.

📒 Files selected for processing (1)

• .github/scripts/apply-repo-settings.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/issue-90-20260414-1252

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Hey @don-petry — this PR is ready for review and merge. It fixes the compliance finding by explicitly enabling delete_branch_on_merge: true (applied directly to the repo via GitHub API) and adds .github/scripts/apply-repo-settings.sh to make the required settings explicit, documented, and re-applicable in the future.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

This PR addresses org compliance for GitHub repository settings by adding a repo-local enforcement script intended to keep the petry-projects/markets repository aligned with the org’s standard defaults (including delete_branch_on_merge: true).

Changes:

• Added an idempotent .github/scripts/apply-repo-settings.sh script that PATCHes the repository settings via gh api.
• Script prints a focused subset of resulting repository settings for quick verification after applying changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The gh api call already filters the response with --jq, but the additional | jq . introduces a hard dependency on an external jq binary and (because of set -o pipefail) can cause the script to exit non‑zero after successfully applying settings if jq isn’t installed. Consider dropping the pipe to jq, or making pretty-printing optional (e.g., only pipe when jq is available).

Suggested change

	}' | jq .
	}'

[don-petry]

Automated review — APPROVED

Risk: MEDIUM
Reviewed commit: 145ba2806f877055c59ecc1942b5682d56aca9f3
Cascade: triage → deep (see triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6 for models)

Note: Approval review was blocked by GitHub (cannot self-approve). This verdict is posted as a comment; a human reviewer can formally approve.

Summary

PR #104 adds a manual idempotent bash script to enforce GitHub repository settings (fixing compliance issue #90). The script requires a human to supply an admin GH_TOKEN at runtime — no secrets are hardcoded, no CI automation is introduced, and all security scanners (CodeQL, SonarCloud, AgentShield) passed clean. Risk is MEDIUM solely because the script exercises GitHub administration scope, but the implementation is sound.

Findings

Info

• [info] .github/scripts/apply-repo-settings.sh:37 — Using -F (typed field) for string enum values squash_merge_commit_title=PR_TITLE and squash_merge_commit_message=COMMIT_MESSAGES is benign — gh CLI passes non-numeric, non-boolean values as strings — but -f (raw string) would be more explicit and self-documenting.
• [info] .github/scripts/apply-repo-settings.sh:22 — export GH_TOKEN after the nil-check is slightly redundant when the caller uses GH_TOKEN=value bash script.sh (already in the child environment), but it is a useful safety net if the script is ever sourced or if a wrapper exports it post-assignment.
• [info] .github/scripts/apply-repo-settings.sh:15 — REPO is hardcoded to petry-projects/markets. This is intentional and actually desirable for a compliance-enforcement script, but a comment explaining the deliberate choice would reduce future confusion.

CI status

All automated checks passed (ci-green, CodeQL clean, SonarCloud zero issues). Merge is currently BLOCKED — likely pending branch-protection requirements (e.g. required human review). The automated approval is recorded; a human review may still be required by branch policy.

---

Reviewed by the don-petry PR-review cascade (triage: haiku 4.5 → deep: sonnet 4.6 + duck: gpt-5.4 → audit: opus 4.6). Reply with @don-petry if you need a human.